Ubuntu
apache2 package

apache files docs owned by root.

Bug #62068 reported by Carl Karsten
6
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Invalid
Undecided
Ralph Janke

Bug Description

Binary package hint: apache2

i think these dirs/files should be owned by www-data, not root.

juser@yate2:/var$ ls -ld www www/apache2-default/ www/apache2-default/*
drwxr-xr-x 3 root root 4096 2006-09-23 13:46 www
drwxr-xr-x 2 root root 4096 2006-09-23 13:46 www/apache2-default/
-rw-r--r-- 1 root root 2160 2004-11-21 08:35 www/apache2-default/apache_pb2_ani.gif

juser@yate2:/var$ grep www /etc/passwd
www-data:x:33:33:www-data:/var/www:/bin/sh

Revision history for this message
Ralph Janke (txwikinger) wrote :

Thanks for your bug report.

Because of security reasons, these files should not be owned by www-data. They are readable by www-data (and therefore the apache server process) because they are readable by 'others'. However, they are not writable by anyone but root in order to prevent somebody through the apache server maliciously create a backdoor to brake into your system.

Therefore, I would like to close this bug report. Is this acceptable to you ?

Thanks

Changed in apache2:
assignee: nobody → rjanke
status: Unconfirmed → Needs Info
Revision history for this message
Carl Karsten (carlfk) wrote :

I checked around, and it seems 'owned by root' is indeed best.

I got the most definitive answer from:
CarlFK: what is done after the install is a separate issue. I was just questioning the 'root' part of the installer. but so far I am still hearing 'root' is good, right?
niq: yep.
***niq busy preparing his apache security presentation for apachecon

Changed in apache2:
status: Needs Info → Rejected
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.